Privacy policy

Latest update: September 2023

Confidentiality and security are core values for COBEE. This means that we are committed to ensuring the privacy of our clients’ personal data at all times, to collecting only the information we need, and no more.

All the necessary information about the personal data we collect, how we process it and your rights is explained as follows:

  1. Who processes my personal data?

PERK  FINANCE,  S.L.  (“COBEE”),  holder  of  Tax  ID No. B-88.243.233, with registered office in Calle Francisco de Rojas Esc. Dcha. 1º 3º – 28010, Madrid, who may act as either of the following two entities:

  • Data Controller: responsible for data processing when relationships are established on its own behalf with data subjects or natural persons who are data  subjects  (i.e.  when,  apart  from  a service provision contract with a company, it is the company’s own employees who directly provide their personal data to COBEE).
  • Data Processor: responsible for data processing when accessing the personal data of data subjects in order to provide the service contracted by a data controller belonging to a client company. The latter will be the usual case, i.e. a company contracts COBEE, entering into a service contract agreement for this purpose in order for the employees of this

company to use the COBEE platform and benefit from the so-called flexible remuneration scheme. In this case, it is the employing company (client company) that collects the personal data of its employees and subsequently provides it to COBEE for the provision of the service.

For this purpose, COBEE has an email address at its disposal (privacy@cobee.io) for  all  users  of  COBEE’s  social  media  on  the  website  (www.cobee.io)  (the  “ Website”) and the APP.

COBEE processes your data in accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND COUNCIL, 27 April 2016, on the protection of individuals with regard to personal data processing, free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

  1. Who controls your personal data in COBEE?

COBEE´s Data Protection Officer, or DPO, is the guarantor of compliance with data protection regulations within COBEE.

You may contact COBEE’s Data protection Officer at the following email address: dpo@cobee.io.

You may consult the appointment of our Data Protection Delegate on the website of the Spanish Data Protection Agency via the following link.

  1. Who are the data subjects?

Personal data collected and processed may come from the following data subjects:

  • Clients and future clients who use the COBEE website:
    • Individuals who provided us with their data on the different forms on our website to make enquiries or obtain information about our products and services.
    • Individuals who asked for a personalized demonstration or free trial.
    • Those who requested information on COBEE novelties, products, services and special offers or promotions.
    • Users of the chatbot included in COBEE’s website.
  • End Clients and users of the COBEE platform:
    • Companies that provided their data to enter into the Service Contract Agreement with COBEE.
    • Administrators and End Users of the COBEE platform.
  • Suppliers:
    • Companies that disclose personal data to us to enter into a Service Contract  Agreement  (identification,  contact  information,  address, bank account number, etc.).
  • Candidates:
    • Those who submitted an application to participate in recruitment processes.
  • Employees:
    • Current employees for the purpose of internal relationship management.
  • Website visitors:
    • Those who browse our website and accept our analytical cookies.
    • Users of the chatbot included in COBEE´s website.
  1. What personal data do we process?

Whether acting as Data Controller or Data Processor, different types of personal data are processed, including:

  • Personal contact information, such as name, email address and phone number.
  • User’s bank account information, including user ID and password.
  • Payment information, such as COBEE’s physical and/or virtual card details.
  • User profile information, such as the company you work for, your employee ID and your benefits model.
  • Benefit claim information, such as personal data of the employee and/or employee’s family members, as well as images of official documents.
  • Usage information, such as how often the application and services are used.
  • Identity card or driving licence (if you are a user of a vehicle leasing service).
  • User’s photograph or image.

The aforesaid personal data is provided to COBEE in different ways, including:

  • Directly by the company, when data from its employees is transferred.
  • Directly by the employee, when they create a COBEE account or use our services.
  1. What is the purpose and legitimate interest of using your personal data?

COBEE processes personal data in order to respond to requests for information, respond to your requests or provide contracted services.

Such personal data is processed for the following legitimate purposes:

5.1 COBEE as Data Controller

PurposeData subjectsData categoriesLegitimate basisData retention period
Formalization, development and execution of the contract

The processing of personal data belonging to the contact persons of our clients and suppliers is necessary for the execution of the contract between COBEE and our clients and suppliers, as well as for the maintenance, development and execution of the contractual relationship.

COBEE processes the personal data of the contact persons of our clients and suppliers, among others, in order to manage the commercial and mercantile relationship with them.		Customers
Prospective clients
Suppliers		Personal data (first name and surname(s))
Contact details (address, business mail)		Execution of the contractOnce the services listed in the contract have been completed, the data included in the contract will be retained for 6 years, duly blocked, and notwithstanding the data subjects having duly exercised their rights of deletion or opposition prior to the end of said period.
Processing payments, receipts and invoicing

COBEE will process the data of our clients in order to send them invoices and charge the   amounts agreed in the Service Contract.

In the same way, COBEE will process the data of its suppliers in order to proceed with payment of   the agreed services.
Clients
Suppliers		Personal data (first name and surname(s))
Contact details (address, business mail)
Bank account information		Execution of the contractPursuant to article 30 in  the  Spanish Commercial Code, invoicing data shall be retained for 6 years after having been issued.
Reply to requests for information or personal contact

COBEE uses the personal contact details provided to respond to your requests and enquiries about products and services, whether made through the form available on the websites or submitted using the contact email addresses published on the websites or via our chatbot.

Clients
Prospective clients
Website users		Personal data (first name and surname(s))
Contact details (address, business mail)		ConsentOnce the request has been duly addressed, the personal data will be retained, duly blocked, for a period of one year.
Sending commercial communications

COBEE processes the given contact details to inform the data subjects who have consented to receiving commercial information.  Such information may be about products,
services, activities, news, and/or any sales promotions that may be of interest to you and related to COBEE’s activities.
Clients
Prospective clients		Personal data (first name and surname(s))
Contact details (address, business mail)		ConsentThe data will be processed for this purpose until the data subject duly revokes his or her consent.
Request for demos and free trails

COBEE uses the contact details provided by the data subjects to schedule a demo or free trial.		Clients
Prospective clients		Personal data (first name and surname(s))
Contact details (address, business mail)
Position and company		ConsentAfter the free trial, the personal data will be retained, duly blocked, for a period of one year, if no service contract is entered into before this period expires.
Website visit analysis

COBEE uses different techniques to compile information. These techniques may be used to obtain analytical data about visits and browsing on the pages of our websites.

This analytical data involves the use of external services with their own privacy policy. These
companies may cross-reference your browsing data with their internal records in order to use it for ad targeting, even if you do not have a registered account with their services.

For further
information, please consult our Cookie Policy.
Website usersOnline identifiers, including identification cookies.

Internet protocol (IP) addresses
and device identifiers.

Customer identifiers.

Information contained in the HTTP headers of requests sent over the Internet, such as the type of device, operating system and browser from which the pages are visited.

Information provided by the browser, such as preferred language, time zone, etc.

Website browsing data: pages visited.		ConsentData will be retained in accordance   with the terms set out in our Cookie Policy and the privacy policies of analytic cookie providers.
Processing candidatures for open recruitment processes

COBEE processes the personal data of those who wish to apply for open recruitment processes in the company.
Candidates
Employees		Personal data (first name and surname(s))
Contact details (address, business mail)
Professional data (CV)		Consent and, where applicable, contract execution.Candidates’ data will be retained for one year after the end of the recruitment process, so that they can be contacted again if there is a new vacancy that might suit them.

5.2 COBEE as Data Processor

PurposeData subjectsData categoriesLegitimate basisData retention period
Processing carried out on behalf of a data controller for the provision of our services to clients.

The provision of services that COBEE (as data processor) provides to our clients (as data controllers) involves the
processing of personal data for which our clients are responsible.

COBEE, which provides a platform for the
procurement of flexible remuneration services for its clients, processes information on behalf of its clients, who are the data controllers, and has no direct
relationship with the individuals
whose personal data it processes. If you are a user of one of our clients, please   contact them for more information about their own privacy policy.
Clients (client company)
End users (employee of the client company)		Personal data (first name and surname(s))
Contact details (address, business mail)
Professional data (CV, position, company)
Bank account information (account number)

Where necessary, end-users may need to provide us with the following information:

Health details (degree of disability)
Personal data of minors (not required when contracting childcare services).

This information may differ depending on the data that end-users voluntarily and spontaneously share with COBEE.		Execution of the contractThe data will be retained in accordance with the terms of our Data Processing Agreement, which we sign with each of our clients.

6. How do we protect your personal data?

At COBEE, we take technical and organizational security measures to protect your personal data from loss, misuse, unauthorized access or disclosure. Some of the measures we take include data encryption, restricted access to personal data and regular data protection training for our staff.

COBEE is an ISO 27001 certified company. This standard is an internationally recognized norm which promotes a risk-based methodology that allows organizations to better manage information security, and which demonstrates that companies have implemented a Security Management System audited by a certified expert independent assessor (CEIA).

7. How do we store your personal data?

We store your personal data on secure cloud servers located in the European Union. We maintain technical and organizational measures to ensure absolute security of personal data and prevent its loss, misuse, unauthorized access or disclosure.

8. Who has access to your personal data?

COBEE will only disclose your personal data to third parties where this is strictly necessary to provide you with our services, when you have requested something from us that we are required to respond to, or when we are legally obliged to do so.

We may also communicate data to companies that provide us with services needed for the normal administrative activity of the company as Data Processors, always within the scope of providing services, such as:

  • Payment and payment processing service providers.
  • Technology service providers, such as cloud hosting and data analytics service providers.
  • Legal and financial advisors.
  • Regulatory and governmental authorities, where we are required to do so to comply with our legal obligations, or have been legally required to do so.

8.1 International or cross-border data transfer

We do not currently share data with providers outside the European Economic Area, so no international or cross-border transfer takes place. Our clients are informed of this in the Data Processing Agreement signed by each of them.

As Data Controllers, we will also share personal data among the different subsidiaries of the Group, based strictly on legitimate corporate interest. In the event that these activities take place between countries within the European Economic Area and/or our subsidiaries outside the European Economic Area,

international data transfer is carried out under contract and by signing the Standard Contractual Clauses (SCC) approved to this end by the European Commission:

https://eur-lex.europa.eu/legal-content/ES/ALL/?uri=CELEX:32021D0914

9. How do I exercise my rights in relation to my personal data?

Any individual has the right to access information concerning their personal data that COBEE is processing. The following are your rights:

  • Data subjects have the right to access their personal data, as well as request amendment of inaccurate data, or, where necessary, request its deletion when, among other reasons, such data is no longer needed for the purposes for which it was collected.
  • Under certain circumstances, data subjects may request data processing restriction, in which case data will only be retained for the purpose of exercising or defending claims.
  • Under certain circumstances and on grounds relating to their particular situation, data subjects may object to the processing of their data. In such cases, COBEE will immediately cease to process data, except for compelling legitimate grounds, or to exercise or defend possible claims.
  • Portability: the data subject has the right to receive personal data relating to him/her which they have provided to COBEE in a structured, commonly used and machine-readable format where (a) the processing is based on consent or a contract, and (b) processing is carried out by automated means.

We inform you of your right to lodge a complaint with the supervisory authority (www.aepd.es) in the event that the exercise of your rights hereunder has not been fully satisfied.

To exercise the aforesaid rights, please contact: privacy@cobee.io. On doing so, please give the following details:

  • First name and surname(s)
  • Contact email address
  • Right you wish to exercise
  • Data relating to your request

Within a maximum period of one month, we will answer your request by email.

10. What is the data retention period for your personal data?

We will retain your personal data for as long we need to do so in order to provide you with our services or as long as needed for us to comply with our legal obligations. When we no longer need your personal data, it will be securely deleted or anonymized.

For a specific data retention period, please refer to the tables in Section 5 of this Privacy Policy.

11. Changes in our Privacy Policy

We reserve the right to update this privacy policy at any time. If we make important changes to this Privacy Policy, we will notify you by posting a notice on our application or website, or by other appropriate means.

12. Contact details

If you have any questions or concerns about this privacy policy or how we treat your personal data, you may contact us at the following postal address: Francisco de Rojas 5 – Esc. Dcha. 1 – 3 – 28010 Madrid, or email us at privacy@cobee.io.

Request a demo